Re: [FW-1] management server not seeing logs from cluster

Wed, 22 Mar 2006 17:57:21 -0800

Check the cluster object parameters and ensure that it is configured to log to the management server.....Ramki 

Adam BE wrote:

Here are a few suggestions:

1. See sk30530 - SmartCenter Server not receiving logs from Security Gateway, 
after migrating to distributed configuration.
* Make sure to convert your SmartCenter to a *host* and *delete all interfaces* 
in Topology Tab and re-install policy.
2. See sk26214 - Firewall not sending logs to SmartCenter Server, is storing 
logs locally.
3. Try to install database on your SmartCentrer and re-open SmartView Tracker.

Keep us posted if any of these suggestions solved your problem.

Thanks,
Adam.

Mark Senior <[EMAIL PROTECTED]> wrote: Hello list

I've got a peculiar situation here:  I've built a SPLAT R55 cluster (two
modules, HA new mode), and a Windows 2003 R55 management server.  For
some reason, the firewall logs aren't being received by the management
server.


From a network perspective, everything seems to be able to communicate

fine.  I can ping both directions between cluster members and management
server, install policies on the cluster, SSH to the cluster from the
management server, and so on.

As you can see from the output below, the modules are able to make
connections on TCP port 257 (FW1_log) to the management cluster, and
they're sending _something_ over the wire on those connections (not
much, as the ACK numbers don't seem to go above about 70)

Also, I'm unable to fetch the logs off the remote machines within
smartview tracker (tools > remote files management > pick a module, get
file list > pick a log file, fetch files).  The result is that the fetch
failed, with 0% progress.  However, I can fetch the logs successfully by
commandline with fw lslogs / fw fetchlogs.

Thanks in advance for your help
Mark



Some diagnostic output, which shows that:
(1) the module is generating, and at least attempting to send, logging
data:

[EMAIL PROTECTED] fw log -ft

Date: Mar 20, 2006
11:31:35 accept module-2 cluster; s_port: 32900; dst: management; service: FW1_log; proto: tcp; 
rule: 0; message_info: Implied rule;
11:31:50 accept module-2 cluster; s_port: 32901; dst: management; service: FW1_log; proto: tcp; 
rule: 0; message_info: Implied rule;


(2) the module is sending actual data on those logging connections, and
the management server is acknowledging its receipt, at layer three if
not higher:

[EMAIL PROTECTED] tcpdump -i eth2 -s 0 "port 257"
tcpdump: listening on eth2
11:28:32.715848 module-2.32888 > management.257: S
2425846703:2425846703(0) win 5840 (DF) 
11:28:32.716150 management.257 > module-2.32888: S
2256300641:2256300641(0) ack 2425846704 win 16384 0,nop,nop,sackOK> 
11:28:32.716190 module-2.32888 > management.257: . ack 1 win 5840 (DF)
11:28:32.716251 module-2.32888 > management.257: P 1:5(4) ack 1 win 5840
(DF)
11:28:32.716806 management.257 > module-2.32888: P 1:5(4) ack 5 win
65531 (DF)
11:28:32.716837 module-2.32888 > management.257: P 5:9(4) ack 5 win 5840
(DF)
11:28:32.868495 management.257 > module-2.32888: . ack 9 win 65527 (DF)
11:28:32.868515 module-2.32888 > management.257: P 9:69(60) ack 5 win
5840 (DF)
11:28:32.869060 management.257 > module-2.32888: P 5:59(54) ack 69 win
65467 (DF)
11:28:32.905408 module-2.32888 > management.257: . ack 59 win 5840 (DF)
11:28:32.905634 management.257 > module-2.32888: P 59:72(13) ack 69 win
65467 (DF)
11:28:32.905652 module-2.32888 > management.257: . ack 72 win 5840 (DF)
11:28:32.906653 module-2.32888 > management.257: F 69:69(0) ack 72 win
5840 (DF)
11:28:32.906854 management.257 > module-2.32888: . ack 70 win 65467 (DF)
11:28:32.906970 management.257 > module-2.32888: F 72:72(0) ack 70 win
65467 (DF)
11:28:32.906989 module-2.32888 > management.257: . ack 73 win 5840 (DF)
11:28:47.915845 module-2.32889 > management.257: S
2443795765:2443795765(0) win 5840 (DF) 
11:28:47.916162 management.257 > module-2.32889: S
647665702:647665702(0) ack 2443795766 win 16384 0,nop,nop,sackOK> 
11:28:47.916204 module-2.32889 > management.257: . ack 1 win 5840 (DF)
11:28:47.916267 module-2.32889 > management.257: P 1:5(4) ack 1 win 5840
(DF)
11:28:47.917000 management.257 > module-2.32889: P 1:5(4) ack 5 win
65531 (DF)
11:28:47.917014 module-2.32889 > management.257: P 5:9(4) ack 5 win 5840
(DF)
11:28:48.071400 management.257 > module-2.32889: . ack 9 win 65527 (DF)
11:28:48.071420 module-2.32889 > management.257: P 9:69(60) ack 5 win
5840 (DF)
11:28:48.071966 management.257 > module-2.32889: P 5:59(54) ack 69 win
65467 (DF)
11:28:48.105407 module-2.32889 > management.257: . ack 59 win 5840 (DF)
11:28:48.105668 management.257 > module-2.32889: P 59:72(13) ack 69 win
65467 (DF)
11:28:48.105685 module-2.32889 > management.257: . ack 72 win 5840 (DF)
11:28:48.106663 module-2.32889 > management.257: F 69:69(0) ack 72 win
5840 (DF)
11:28:48.106878 management.257 > module-2.32889: . ack 70 win 65467 (DF)
11:28:48.107070 management.257 > module-2.32889: F 72:72(0) ack 70 win
65467 (DF)
11:28:48.107087 module-2.32889 > management.257: . ack 73 win 5840 (DF)



This email and any files transmitted with it are confidential and intended 
solely for the use of the individual or entity to whom they are addressed. If 
you have received this email in error please notify the system manager. This 
message contains confidential information and is intended only for the 
individual named. If you are not the named addressee you should not 
disseminate, distribute or copy this e-mail.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================


                
---------------------------------
Blab-away for as little as 1ยข/min. Make  PC-to-Phone Calls using Yahoo! 
Messenger with Voice.

=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================



=================================================
To set vacation, Out-Of-Office, or away messages,
send an email to [EMAIL PROTECTED]
in the BODY of the email add:
set fw-1-mailinglist nomail
=================================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
=================================================
If you have any questions on how to change your
subscription options, email
[EMAIL PROTECTED]
=================================================

Reply via email to